Controversial retail giant Sports Direct has come in for hefty criticism after reportedly failing to inform staff that their personal details had been exposed in a cyber attack which took place late last year.
A whistleblower told The Register that the digital intruder exploited public vulnerabilities to compromise an unpatched version of the DNN content management platform the firm was using to run a staff portal.
Unencrypted data including names, email and postal addresses and phone numbers were apparently exposed – more than enough for fraudsters to launch follow-up scams on the individuals.
The attack is said to have been detected in September but the company didn’t hear of it until December, indicating some kind of breakdown in Sports Direct’s incident response systems.
Even then, although the firm apparently reported the incident to the Information Commissioner’s Office (ICO), it decided not to tell staff after it was concluded that no attempts had been made to further copy or share the data.
The whistleblower even claimed that a phone number had been left on the intranet encouraging bosses to contact the hacker.
Sports Direct has declined to comment on the incident beyond saying its policy is to continually improve systems and notify the “relevant authorities” where appropriate.
The firm claims to “employ and engage” over 29,000 people.
Jason Allaway, VP UK & Ireland, RES, claimed that an organization of its size should not be storing sensitive staff data behind an insecure platform.
“This is a stark reminder not only to Sports Direct but every company that vigilance should be implemented as gospel. Every organization should always assume they have been infiltrated. As such, penetration tests should be carried out regularly. It’s even worth getting friendly hackers to expose – and then patch up – any existing vulnerabilities before they can be exploited,” he explained.
“Sports Direct should treat this episode as a valuable lesson and an opportunity to ramp up their security processes. For other companies, it's another reminder that you can't hide a breach from your employees, let alone everyone else.”
Digital Guardian threat researcher, Thomas Fischer, added that organizations of all types have a duty of care and a legal obligation to protect data.
“With personal details in their hands, hackers may have targeted employees through phishing and social engineering attacks – and the employees would have had no reason to believe anything was suspicious,” he argued.